TASBot - the perfectionist
-
Upload
ange-albertini -
Category
Technology
-
view
398 -
download
3
Transcript of TASBot - the perfectionist
dwangoAC
TASBotthe perfectionist
The amazing life & achievements of...
Twitch.tv/dwangoAC twitter @MrTASBot
Allan 'dwangoAC' Cecil
http://acbit.net
Presented and written by...
Allan 'dwangoAC' Cecil
President of the North Bay Linux Users’ Group
http://nblug.org
http://acbit.net
Presented and written by...
Allan 'dwangoAC' Cecil
President of the North Bay Linux Users’ Group
Senior Engineer at Cyan Ciena
http://nblug.org http://www.ciena.com/
http://acbit.net
Presented and written by...
Allan 'dwangoAC' Cecil
President of the North Bay Linux Users’ Group
Senior Engineer at Cyan Ciena
http://nblug.org http://www.ciena.com/ http://tasvideos.org/DwangoAC.html
http://tasbot.nethttp://acbit.net
Presented and written by...
SpeedrunningHuman limits
Playing games fast
http://speeddemosarchive.com/
Playing games fast
http://speeddemosarchive.com/
● Inspiration: in-game completion timers
● SpeedDemosArchive.com and others track fastest completion times
● Strict rules + peer review: no cheats, no macros
● Typically highly entertaining
● Many categories, ranging from "any%" to "low% no major glitches"
Playing games fast
http://speeddemosarchive.com/
● Inspiration: in-game completion timers
Games Done Quick
Games Done QuickSpeedrunning marathons for charity streamed live on Twitch
Classic GDQ (2010), Awesome GDQ (2011-), Summer GDQ (2011-)
Abusing games
https://youtu.be/kIIzE_H7D2g?t=5m27s AGDQ 2014
Abusing games
https://youtu.be/kIIzE_H7D2g?t=5m27s AGDQ 2014
Metroid 15:43 World Record https://www.youtube.com/watch?v=67kQ3l-1qMs
https://www.youtube.com/watch?v=JXtUwIW7cL8Momodora by Halfcoordinated - SGDQ 2016
Punch-Out blindfolded by Sinister1 - AGDQ 2014https://www.youtube.com/watch?v=CvzIb53Lcno
https://www.youtube.com/watch?v=JXtUwIW7cL8Momodora by Halfcoordinated - SGDQ 2016
Even 1-handed,
blindfolded...
Beyond standard
limits!Punch-Out blindfolded by Sinister1 - AGDQ 2014https://www.youtube.com/watch?v=CvzIb53Lcno
https://www.youtube.com/watch?v=JXtUwIW7cL8Momodora by Halfcoordinated - SGDQ 2016
TAS verb / noun ~ TASer noun“I’m a TASer working on Tetris.” / “I’m TASing Tetris.”“I TAS’ed Tetris.” / “They made a TAS of Tetris.”
TAS verb / noun ~ TASer noun“I’m a TASer working on Tetris.” / “I’m TASing Tetris.”“I TAS’ed Tetris.” / “They made a TAS of Tetris.”
Tool-Assisted SuperplaysSpeedruns
From human limitsTo hardware limits
TAS verb / noun ~ TASer noun“I’m a TASer working on Tetris.” / “I’m TASing Tetris.”“I TAS’ed Tetris.” / “They made a TAS of Tetris.”
Tool-Assisted SuperplaysSpeedruns
From human limitsTo hardware limits
Harder Faster Better Stronger
Harder Faster Better Stronger● Early PC game TAS’s: Savestates, slow motion, and recording tools
Harder Faster Better Stronger● Early PC game TAS’s: Savestates, slow motion, and recording tools
● ~1999: Doom Done Quick in 19:41
https://www.youtube.com/watch?v=BEcrJLM4GgUhttp://web.archive.org/web/20031203222907/http://soramimi.egoism.jp/emu.htm
https://www.youtube.com/watch?v=BEcrJLM4GgUhttp://web.archive.org/web/20031203222907/http://soramimi.egoism.jp/emu.htm
● Tools meant hardware limits became the only limits
Inhuman skill on display
http://tasvideos.org/WelcomeToTASVideos.htmlhttps://web.archive.org/web/20060511210906/http://bisqwit.iki.fi/nesvideos/
○ Competitors should admit to doping
○ Videos made with TAS tools should be labeled
● Tools meant hardware limits became the only limits
● TASing looked like the Doped Olympics
Inhuman skill on display
http://tasvideos.org/WelcomeToTASVideos.htmlhttps://web.archive.org/web/20060511210906/http://bisqwit.iki.fi/nesvideos/
● NESVideos created by Bisqwit in 2004
○ Competitors should admit to doping
○ Videos made with TAS tools should be labeled
● Tools meant hardware limits became the only limits
● TASing looked like the Doped Olympics
Inhuman skill on display
http://tasvideos.org/WelcomeToTASVideos.htmlhttps://web.archive.org/web/20060511210906/http://bisqwit.iki.fi/nesvideos/
● NESVideos created by Bisqwit in 2004
○ Now at TASVideos.org with runs for many platforms
○ Competitors should admit to doping
○ Videos made with TAS tools should be labeled
● Tools meant hardware limits became the only limits
● TASing looked like the Doped Olympics
Inhuman skill on display
http://tasvideos.org/WelcomeToTASVideos.htmlhttps://web.archive.org/web/20060511210906/http://bisqwit.iki.fi/nesvideos/
the birthof TASBot
the birthof TASBotConsole verified
Pushing hardware limits
the birthof TASBotConsole verified
Pushing hardware limits
Console emulators http://tasvideos.org/Lsnes.html lsnes
BizHawk http://tasvideos.org/BizHawk.html
Rerecording frameworks
Hourglass
NetHack specific tools
http://tasvideos.org/EmulatorResources/Hourglass.html
http://tasvideos.org/GameResources/DOS/Nethack.html
Emulation accuracy evolution
● Clean room reverse engineering
○ or stolen manuals
● Early emulators: highly inaccurate
Emulation accuracy evolution
● bsnes: extreme accuracy, poor usability
● Clean room reverse engineering
○ or stolen manuals
● Early emulators: highly inaccurate
Emulation accuracy evolution
http://arstechnica.com/gaming/2011/08/accuracy-takes-power-one-mans-3ghz-quest-to-build-a-perfect-snes-emulator/https://web.archive.org/web/20120915125144/http://byuu.org/bsnes/accuracy
● bsnes: extreme accuracy, poor usability
● Clean room reverse engineering
○ or stolen manuals
● Early emulators: highly inaccurate
Emulation accuracy evolution
http://arstechnica.com/gaming/2011/08/accuracy-takes-power-one-mans-3ghz-quest-to-build-a-perfect-snes-emulator/https://web.archive.org/web/20120915125144/http://byuu.org/bsnes/accuracy
http://byuu.org/emulation/higan/
higan
● bsnes: extreme accuracy, poor usability
● Clean room reverse engineering
○ or stolen manuals
● Early emulators: highly inaccurate
⇒ match actual hardware, frame for frame
Emulation accuracy evolution
http://arstechnica.com/gaming/2011/08/accuracy-takes-power-one-mans-3ghz-quest-to-build-a-perfect-snes-emulator/https://web.archive.org/web/20120915125144/http://byuu.org/bsnes/accuracy
http://byuu.org/emulation/higan/
higan
Memory searching, Lua scripting, disassembly
https://www.lua.org/
● More than just frame advance and savestates
Memory searching, Lua scripting, disassembly
https://www.youtube.com/watch?v=RtaS4KEl4Qc
https://www.lua.org/
● More than just frame advance and savestates
● Find a specific value: save, reset memory search, run
○ Search based on conditions, repeat
Memory searching, Lua scripting, disassembly
https://www.youtube.com/watch?v=RtaS4KEl4Qc
https://www.lua.org/
● More than just frame advance and savestates
● Find a specific value: save, reset memory search, run
○ Search based on conditions, repeat
Memory searching, Lua scripting, disassembly
● Disassembly of RAM or ROM for complete understanding
https://www.youtube.com/watch?v=RtaS4KEl4Qc
https://www.lua.org/
Abusinghandwriting recognition
https://youtu.be/mSFHKAvTGNk?t=29m53s AGDQ 2016
Abusinghandwriting recognition
Editing memory livedirectly in the game
SGDQ 2016 https://youtu.be/EHfw-BEuRO8?t=12m28s
https://youtu.be/mSFHKAvTGNk?t=29m53s AGDQ 2016
TAS ⇔ Infosec equivalents
● Savestate = VM snapshot
● Frame advance = VM CPU step / tick
● Glitch = Vulnerability
● Arbitrary Code Execution = Exploit
● Console verification = Evil maid attack
⇒ TAS = fun, technical, educational
AGDQ 2016 https://youtu.be/pj7RE2DcRgc?t=50m23s
SMB3 Total Control Glitchfest by Lord Tom
SuperMario World
SuperMario Bros.
TASBot
SuperMario World
SuperMario Bros.
TASBot
plays
SuperMario World
SuperMario Bros.
TASBot
plays
Early console verification devices
Early console verification devices
● 2009
○ a PIC to press NES buttons [true]
● 2011
○ NESBot [micro500]: first replay of SMB1
■ Used at SGDQ 2011 on SMB2 and W&W 3
Early console verification deviceshttps://www.youtube.com/watch?v=KQXVgMKJEDY
● 2009
○ a PIC to press NES buttons [true]
● 2011
○ NESBot [micro500]: first replay of SMB1
■ Used at SGDQ 2011 on SMB2 and W&W 3
○ Droid64 [SoulCal]
● 2012
○ N64 [micro500]
Early console verification deviceshttps://www.youtube.com/watch?v=KQXVgMKJEDY
● 2009
○ a PIC to press NES buttons [true]
● 2013
○ SNES and Genesis Arduino bot [GhostSonic]○ NES/SNES replay device [true]
■ Streaming capable and inexpensive but limited datarates
● 2013
○ SNES and Genesis Arduino bot [GhostSonic]○ NES/SNES replay device [true]
■ Streaming capable and inexpensive but limited datarates● 2014
○ Nintendo R.O.B + board + legos: "TASBot"
● 2013
○ SNES and Genesis Arduino bot [GhostSonic]○ NES/SNES replay device [true]
■ Streaming capable and inexpensive but limited datarates● 2014
○ Nintendo R.O.B + board + legos: "TASBot"
● 2015○ Multireplay device [true]: self-contained ⇒ faster datarates
● 2013
○ SNES and Genesis Arduino bot [GhostSonic]○ NES/SNES replay device [true]
■ Streaming capable and inexpensive but limited datarates● 2014
○ Nintendo R.O.B + board + legos: "TASBot"
● 2015○ Multireplay device [true]: self-contained ⇒ faster datarates○ Game Boy Player Player [endrift] (GBA on GameCube)
TASBotthe perfectionist
SuperMario World
SuperMario Bros.
TASBot
SuperMario World
SuperMario Bros.
TASBot
plays
SuperMario World
SuperMario Bros.
TASBot
plays
SuperMario World
SuperMario Bros.
TASBot
playsin
SuperMario World
SuperMario Bros.
TASBot
playsin
SMB in SMW by p4plus2 and Masterjun
http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/https://www.youtube.com/watch?v=YHyaTCuZRzM
credits: p4plus2, MasterjunTASBot plays the SNES classic...
http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/https://www.youtube.com/watch?v=YHyaTCuZRzM
credits: p4plus2, MasterjunTASBot plays the SNES classic...
Exploits it via input...
http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/https://www.youtube.com/watch?v=YHyaTCuZRzM
credits: p4plus2, MasterjunTASBot plays the SNES classic...
Exploits it via input... A homemade port of the NES classic is sent as payload...
http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/https://www.youtube.com/watch?v=YHyaTCuZRzM
credits: p4plus2, MasterjunTASBot plays the SNES classic...
Exploits it via input... A homemade port of the NES classic is sent as payload...
A 8-bit game, on a 16-bit system!
https://www.youtube.com/watch?v=vAHXK2wut_I&index=1&list=PLZctv-xoGbfUolvrW5YTi9J1KnY0l0Xch
dotsarecool
You can write specific sequences in the Object Attribute Memoryby using specific objects at specific coordinates,
https://www.youtube.com/watch?v=vAHXK2wut_I&index=1&list=PLZctv-xoGbfUolvrW5YTi9J1KnY0l0Xch
dotsarecool
Since CPU instructions are made of specific binary sequences...
https://www.youtube.com/watch?v=vAHXK2wut_I&index=1&list=PLZctv-xoGbfUolvrW5YTi9J1KnY0l0Xch
dotsarecool
Since CPU instructions are made of specific binary sequences...
...we can take over execution the way we want.
https://www.youtube.com/watch?v=vAHXK2wut_I&index=1&list=PLZctv-xoGbfUolvrW5YTi9J1KnY0l0Xch
dotsarecool
Since CPU instructions are made of specific binary sequences...
...we can take over execution the way we want.
So, just via input...
https://www.youtube.com/watch?v=vAHXK2wut_I&index=1&list=PLZctv-xoGbfUolvrW5YTi9J1KnY0l0Xch
dotsarecool
Since CPU instructions are made of specific binary sequences...
...we can take over execution the way we want.
So, just via input...
...you can directly trigger the credits sequence!
TASLink~184 Kbps
was too limitinghttp://taslink.org
32Mhz FPGAPapilio Pro's Spartan 6 LX
max poll rate ofthe serial port (2Mb/s)
http://papilio.gadgetfactory.net/index.php?n=Papilio.PapilioPro
SMB1+2+3+Lost Levelsplayed simultaneously
during SGDQ 2016
https://youtu.be/EHfw-BEuRO8?t=58m29s
Anatomy of an Arbitrary Code Execution
1. Input exploit
Anatomy of an Arbitrary Code Execution
Pokemon Red
1. Input exploit
2. Take overthe Super GameBoy
Anatomy of an Arbitrary Code Execution
Pokemon Red
1. Input exploit
2. Take overthe Super GameBoy
3. Gain full access tothe Super Nintendo
Anatomy of an Arbitrary Code Execution
Pokemon Red
1. Input exploit
2. Take overthe Super GameBoy
3. Gain full access tothe Super Nintendo
4. Anything is possible
Anatomy of an Arbitrary Code Execution
Pokemon Red
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
https://archive.org/stream/pocorgtfo10#page/n5/mode/2up http://arstechnica.com/gaming/2015/01/pokemon-plays-twitch-how-a-robot-got-irc-running-on-an-unmodified-snes/
credits: micro500, Ilari, p4plus2
Call to actionJoin the chat for Q&A athttp://twitch.tv/dwangoAC
https://youtu.be/EHfw-BEuRO8?t=1h13m50s
credits: total_ ais523From boot...
https://youtu.be/EHfw-BEuRO8?t=1h13m50s
credits: total_ ais523From boot...
...to ending, in 16 frames!
https://youtu.be/EHfw-BEuRO8?t=1h13m50s
credits: total_ ais523From boot...
...to ending, in 16 frames!
6000 buttons per second!
https://youtu.be/EHfw-BEuRO8?t=1h13m50s
credits: total_ ais523From boot...
...to ending, in 16 frames!
Some glitches are expected!
6000 buttons per second!
DPCM memory↕
game controllerFlood weak controller code
to abuse raster interruptand take over execution
conflict
http://www.qmtpro.com/~nes/chipimages/#rp2a03http://arstechnica.com/gaming/2016/07/how-to-beat-super-mario-bros-3-in-less-than-a-second/
TAS'ers lethal weapon● More flexible than IDA● Graph view, low level IL and annotation support● Python scripting● NES support: ability to add new mappers
♫♪ Am I…
cheating?♫♪ Am I…
cheating?♫♪ Am I…
♬ No
cheating?technical challenge &visual entertainment!
♫♪ Am I…
♬ No, I'm just looking for...
cheating?technical challenge &visual entertainment!
♫♪ Am I…
♬ No, I'm just looking for...
♩ And I'm not the only one… ;)
Medecins sans FrontièresDoctors without borders
♩♬ But more importantly….
Medecins sans FrontièresDoctors without borders
Prevent Cancer Foundation
GamesDoneQuickRaised for
charity!
over $200k USD♩♬ But more importantly….
http://tasvideos.org/forum/viewtopic.php?p=437688#437688
micro500 IlariThanks to:
micro500 IlariThanks to:
p4plus2 Masterjun true total_ psifertex rusty
micro500 IlariThanks to:
p4plus2 Masterjun true total_ psifertex rusty TheAxeMan ange_ greenfly ais523 and many, many others